Tutorial: Configure Asana for automatic user provisioning
The objective of this tutorial is to show you the steps you need to perform in Asana and Azure Active Directory (Azure AD) to automatically provision and de-provision user accounts from Azure AD to Asana.
The scenario outlined in this tutorial assumes that you already have the following items:
- An Azure AD tenant
- An Asana tenant with an Enterprise plan or better enabled
- A user account in Asana with admin permissions
Azure AD provisioning integration relies on the Asana API, which is available to Asana.
Assign users to Asana
Azure AD uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users assigned to an application in Azure AD are synchronized.
Before you configure and enable the provisioning service, you must decide which users in Azure AD need access to your Asana app. Then you can assign these users to your Asana app by following the instructions here:
Important tips for assigning users to Asana
We recommend that you assign a single Azure AD user to Asana to test the provisioning configuration. Additional users can be assigned later.
Configure user provisioning to Asana
This section guides you through connecting your Azure AD to Asana user account provisioning API. You also configure the provisioning service to create, update, and disable assigned user accounts in Asana based on user assignments in Azure AD.
To enable SAML-based single sign-on for Asana, follow the instructions provided in the Azure portal. Single sign-on can be configured independently of automatic provisioning, although these two features complement each other.
To configure automatic user account provisioning to Asana in Azure AD
In the Azure portal, browse to the Azure Active Directory > Enterprise Apps > All applications section.
If you already configured Asana for single sign-on, search for your instance of Asana by using the search field. Otherwise, select Add and search for Asana in the application gallery. Select Asana from the search results, and add it to your list of applications.
Select your instance of Asana, and then select the Provisioning tab.
Set Provisioning Mode to Automatic.
Under the Admin Credentials section, follow these instructions to generate the token and enter it in Secret Token:
a. Sign in to Asana by using your admin account.
b. Select the profile photo from the top bar, and select your current organization-name settings.
c. Go to the Service Accounts tab.
d. Select Add Service Account.
e. Update Name and About and the profile photo as needed. Copy the token in Token, and select it in Save Changes.
In the Azure portal, select Test Connection to ensure that Azure AD can connect to your Asana app. If the connection fails, ensure that your Asana account has admin permissions, and try the Test Connection step again.
Enter the email address of a person or group that you want to receive provisioning error notifications in Notification Email. Select the check box underneath.
Under the Mappings section, select Synchronize Azure Active Directory Users to Asana.
In the Attribute Mappings section, review the user attributes to be synchronized from Azure AD to Asana. The attributes selected as Matching properties are used to match the user accounts in Asana for update operations. Select Save to commit any changes. For more information, see Customize user provision attribute mappings.
To enable the Azure AD provisioning service for Asana, in the Settings section, change Provisioning Status to On.
Now the initial synchronization starts for any users assigned to Asana in the Users section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the service is running. Use the Synchronization Details section to monitor progress and follow links to provisioning activity logs. The audit logs describe all actions performed by the provisioning service on your Asana app.
For more information on how to read the Azure AD provisioning logs, see Report on automatic user account provisioning.